Home/red-rock-eater/Red Rock Eater Digest - In Defense of E-Sign

Red Rock Eater Digest - In Defense of E-Signwriting

militaryeducationinternationalmediaenvironmentcivil-libertiesinternet-policyprivacycryptographylawcommercegovernment-info
8 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/2000/RRE.In.Defense.of.E-Sign.html

Content

| | | | --- | --- | | Red Rock Eater Digest | Most Recent Article: Mon, 30 Apr 2001 |

``` [Back in June I said some stuff about the electronic signatures bill that were probably wrong. The key issues are the degree to which legislation should define the concept of an electronic signature and the allocation of liability when signatures are forged.

http://commons.somewhere.com/rre/2000/RRE.electronic.signature.html

Brad Biddle wrote to set me straight, and I urged him to write a piece that explains the issues as he sees them. He has now written it, and it's enclosed. I know that everyone doesn't agree about the details or even the big picture, but the point here is simply that Brad's views lie within the scope of serious opinion and mine don't. For a lengthier and authoritative discussion, see this paper by Jane Winn:

http://www.kl.com/PracticeAreas/Technology/pubs/page20.stm

I happened to send this URL out a few days ago. See also the related discussion of security aspects of digital signatures (a more specific idea than electronic signatures) by Bruce Schneier that I also happened to send out a few days ago:

http://commons.somewhere.com/rre/2000/RRE.hacking.digital.sign.html

I've reformatted Brad's message to 70 columns.]

---

This message was forwarded through the Red Rock Eater News Service (RRE). You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html

---

Date: Tue, 14 Nov 2000 00:27:35 -0500 (EST) From: Brad Biddle

IN DEFENSE OF E-SIGN

Several months ago, following the enactment of the Electronic Signatures in Global and National Commerce Act (E-SIGN), a number of articles appeared which criticized E-SIGN, including several which were circulated on RRE. In response to one such article I wrote to Phil and suggested that some of the concerns expressed about E-SIGN were misplaced and/or overstated. Phil invited me to write this message, which attempts to briefly refute three of the criticisms commonly levied against E-SIGN.

CRITICISM #1: The broad definition of "electronic signature" in E-SIGN is problematic; the bill should have focused on public key-based "digital signatures."

RESPONSE: Beginning in 1995 a number of states and international jurisdictions enacted PKI-specific "digital signature" laws. These laws have been widely (and accurately, in my view) criticized as (1) exposing consumers to extraordinary liability risk, (2) embodying an unjustifiable policy choice of subsidizing particular vendors of particular technologies via special liability rules, and (3) failing to squarely address the legal ambiguity over whether "signature" and "writing" requirements in the law could be met electronically. (See, e.g., Jane Winn's "Open Systems" or my own "Misplaced Priorities" and "Legislating Market Winners" for amplification of these arguments; full citations below.)

An alternative legislative approach emerged which focused on elements of existing law that could inhibit electronic contracting, such as the common requirement that contracts for certain sales of goods be embodied in a "signed writing." The essence of this alternative approach is to simply say that an otherwise valid contract shouldn't be unenforceable just because it was formed electronically (and thus arguably didn't meet the "signed writing" requirement, for example). Legislation of this type does not alter the basic requirements of contract law: the underlying contract must still meet existing contract formation rules, must not be unconscionable, etc.

E-SIGN is legislation of this second type. It makes clear that an otherwise valid agreement is not invalid just because it was formed electronically. It does this by stating that any electronic "sign, symbol, or process" can serve as a signature IF it was "executed or adopted ... with the intent to sign" the relevant document. So, virtually any symbol or process can serve to meet a "signature" requirement imposed by law , so long as it was applied with the requisite intent. E-SIGN also provides that an "electronic record" can satisfy a requirement for a "writing" under most circumstances. This is a sensible approach to electronic contracting. It eliminates a legal barrier to electronic commerce without altering the careful balance of underlying substantive contract law.

An example may be helpful. If Phil and I exchange e-mail and reach agreement for me to buy his car, under E-SIGN I can't get out of the deal by arguing that he doesn't technically have a "signed writing": my plaintext " -- Brad" at the bottom of my e-mail to him could serve to meet the legal requirement of a signature, and the e-mail message would count as a writing. I'm left with all my other contract law arguments, however: e.g., I could argue that we never had true agreement (i.e., we were still negotiating), or that he defrauded me, or that I was incapacitated at the time of contracting, or that the balance of power in our relationship and the bad deal terms made the deal unconscionable, etc.

E-SIGN attempts to solve a specific, identifiable problem: ambiguity concerning how "signature" and "writing" requirements apply in an electronic environment. (Incidentally, signature and writing requirements are much more rare than non-lawyers typically expect; only very specific categories of contracts require a signature to be effective, for example.) E-SIGN permits all sorts of authentication technologies (including PKI) to flourish, and allows market participants to pick the authentication technology that best meets their particular circumstances. The substantive rules of contract law are not altered by E-SIGN, and these rules should serve to prevent the abuses that E-SIGN critics have argued will occur under the new law.

Digital signature laws, on the other hand, do not resolve the "signed writing" ambiguity, and create a host of other serious problems. If government desires to foster the development of a public key infrastructure there are other ways to do so other than mandating that PKI digital signatures are the only way to create legal signatures electronically.

CRITICISM #2: Under E-SIGN, innocent consumers will be liable for fraud perpetrated with their electronic signature.

RESPONSE: The early PKI-specific "digital signature" laws did shift the risk of fraud to users of digital signatures. If a user negligently lost their private key they faced unlimited liability for any resulting damages; even if not negligent they faced the near-impossible task of overcoming a strong legal presumption that documents signed with their private key were signed by them. Early drafts of the Uniform Electronic Transactions Act (UETA), while not PKI-specific, also contained attribution rules which departed from the traditional law of signatures and made it more difficult for a victim of fraud avoid liability. After considerable debate, later drafts of UETA dropped these controversial attribution rules. E-SIGN, which is modeled in large part on UETA, does not contain any attribution provisions. That is, it does not alter existing law concerning signatures and attribution; the same attribution rules that apply to paper signatures apply to electronic signatures.

The rules that generally apply to paper signatures, and thus to electronic signatures under E-SIGN, are favorable to consumers. When a the legitimacy of signature is in dispute, generally the party who desires to rely on the signature bears the burden of proving its legitimacy.

(See Biddle, "Misplaced Priorities" for a discussion of risk shifting under digital signature laws; Wright (Chapter 14) for UETA history re attribution, and Winn, "Open Systems" for an overview of the law of signatures; Winn, "Couriers" also has great material re signatures and attribution.)

CRITICISM #3: E-SIGN endorses click-through agreements; click-through (or "webwrap" agreements) should not be upheld.

RESPONSE: If the law required that a particular contract be signed, under E-SIGN clicking an "I agree" box could be deemed a "signature" sufficient to meet that signature requirement (subject to E-SIGN's consumer consent and record retention rules, which I won't discuss here). Few contracts actually require a signature, however. Substantive contract law usually requires only a "manifestation of assent," and it seems clear that clicking "I agree" could be deemed a manifestation of assent regardless of whether E-SIGN applies. Indeed, the several recent cases which have addressed shrinkwrap and click-through contracts have raised a number of important contractual issues, but in no case was the signature issue legally significant. The bottom line is that in the important debate over click-through agreements, E-SIGN and the issue of legal signature play only a very peripheral role.

SOME ADDITIONAL THOUGHTS: E-SIGN is not perfect legislation. It sweeps broadly, and may eliminate paper signature and writing requirements even in certain specific circumstances where the requirement for paper is meaningful. It occupies space that historically has been left to state legislatures. Its "consent" provisions, designed to protect consumers, are awkward for consumers and businesses alike. The basic principles of E-SIGN are sound, however. Much of the criticism of E-SIGN to date has not been particularly thoughtful.

ABOUT ME: I've written extensively about electronic authentication, starting with a 1995 article for the CPSR newsletter which focused on the privacy and risk allocation problems associated with the Utah Digital Signature Act. I worked for the Privacy Rights Clearinghouse while in law school. I practiced law with a big Silicon Valley law firm for a while, taught Cyberspace Law at California Western School of Law, served a brief stint as general counsel of MP3.com, and now live in Phoenix, AZ and work for Intel's eBusiness Group. Any resemblance between the personal opinions expressed in this e-mail and any official Intel position is entirely coincidental.

REFERENCES:

C. Bradford Biddle, "Misplaced Priorities: the Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure" ( (published in the San Diego Law Review (1996))

C. Bradford Biddle, "Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace" (published in the Word Wide Web Journal and in the San Diego Law Review (1997))

C. Bradford Biddle, "Public Key Infrastructures and 'Digital Signature' Legislation: 10 Public Policy Questions" (this is reprinted in Simson Garfinkel's book "Web Security and Commerce" (1997))

Jane K. Winn, "Open Systems, Free Markets and the Regulation of Internet Commerce" (, published in Tulane Law Review (1998))

Jane K. Winn, "Couriers Without Luggage: Negotiable Instruments and Digital Signatures" ( (1998))

Benjamin Wright and Jane Winn, The Law of Electronic Commerce (2000).

--Brad ```

| | | --- | | ProcessTree Network TM For-pay Internet distributed processing. | | Advertising helps support hosting Red Rock Eater Digest @ The Commons. Advertisers are not associated with the list owner. If you have any comments about the advertising, please direct them to the Webmaster @ The Commons. |